December 1, 2020
UNOFFICIAL ENGLISH TRANSLATION
Belgian Data Protection Authority – Publication
COOPERATION PROTOCOL BETWEEN DNS BELGIUM ASBL AND
THE DATA PROTECTION AUTHORITY
DNS Belgium non-profit organization (hereinafter DNS Belgium), Ubicenter, Philipssite 5, box 13, 3001 Leuven (Heverlee), represented by Mr. Philip Du Bois, General Manager,
On the one hand,
The Data Protection Authority (hereinafter the DPA), rue de la Presse 35, 1000 Brussels, represented by Mr. David Stevens, President,
On the other hand.
Art. 1 . Background
DNS Belgium is a not-for-profit organization that was established in 1999 with the aim of: organizing the registration of domain names, making the Internet accessible and promoting its use.
The vision of the organization is as follows: “In a digital society where everyone is aware of the possibilities and has access to the advantages of domain names, DNS Belgium acts, in a sustainable way, as a center of excellence”.
DNS Belgium’s mission in this respect is to:
- ensure the operational and administrative management of the .be domain name zones in a secure and qualitative manner;
- make the Internet more accessible by acting as an intermediary for all potential Internet users at national and international level;
- promote the use of the Internet via domain names.
Within the framework of the aforementioned objectives, DNS Belgium has already developed several procedures to increase the security and quality of the .be domain name zone:
- In collaboration with Cepani, an alternative settlement procedure has been developed for .be domain names;
- DNS Belgium carries out daily checks to ensure the correctness of the contact details of the holders of newly registered .be domain names;
- DNS Belgium has developed an anti-abuse application to detect certain abuses (e.g. phishing);
- DNS Belgium has developed administrative procedures (bad WHOIS and revoke+ procedures) to take appropriate action against .be domain name holders who act in breach of the applicable general terms and conditions.
However, DNS Belgium is not a judicial body and is therefore not authorised to make a legal assessment of possible infringements of the law that are reported in connection with websites under a .be domain name. Such an assessment falls within the competence of the courts, the public prosecutor’s offices and other public services designated for this purpose, such as the DPA. On the basis of a legal assessment by an authorised body, DNS Belgium can, on the other hand, claim that the holder of a .be domain name has breached the general terms and conditions applicable to holders of .be domain names. DNS Belgium can also provide the competent authorities, at their request, with useful information for the further investigation of possible illegal practices.
THE DATA PROTECTION AUTHORITY
Since May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “GDPR”) applies. Article 51 of the GDPR requires each EU Member State to designate an independent public authority to oversee the application of the GDPR and in Belgium, the DPA, among others, has been designated by the legislator to take on this role. The DPA was created by the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “the LCA”) and is an independent body responsible for ensuring that the fundamental principles of personal data protection are properly respected.
In accordance with Article 52 of the LCA, the DPA carries out its tasks in consultation with all public and private actors concerned by the policy of protection of fundamental rights of natural persons with regard to the processing and free flow of personal data.
The Authority is composed of 5 Directorates and a Management Committee. The legal missions of two of these directorates, namely the Inspection Service and the Litigation Chamber, require collaboration with DNS Belgium.
In accordance with article 28 of the LCA, the Inspection Service is the investigative body of the DPA. This means that it is responsible for examining complaints relating to personal data legislation and serious indications of violations of this legislation. On the basis of the LCA, the Inspection Service has broad investigative powers (such as identifying, interviewing persons, conducting an on-site investigation, etc.) and, pursuant to Article 70 of the LCA and Article 58 of the GDPR, it may also impose and execute provisional measures, including ordering the suspension, limitation or temporary freezing of the processing of data under investigation.
The Litigation Chamber is the DPA’s administrative litigation body. Pursuant to Article 100 of the LCA and Article 58 of the GDPR, it is competent, inter alia, to order the freezing, restriction or prohibition of the processing of personal data.
For the Inspection Service and the DPA’s Litigation Chamber to fully carry out their legal duties, they must also have appropriate means at their disposal in cases where controllers or processors do not comply with their injunctions. In such situations, the Notice & Action procedure which is realised in the present protocol can provide a solution.
Taking into account the extended investigative mission of the DPA’s Inspection Service defined in the LCA on the one hand, and the key position occupied by DNS Belgium in Belgian Internet traffic on the other hand, it is also necessary to develop a similar cooperation between the two actors, such as the cooperation provided by public services vis-à-vis the DPA’s Inspection Service (see Article 68 of the LCA).
Art. 2 Two-tier cooperation
COOPERATION IN INVESTIGATIONS BY THE DPA’s INSPECTION SERVICE
DNS Belgium is obliged, vis-à-vis the DPA’s Inspection Service, to
- provide it with any information at its disposal and this whenever the DPA’s Inspection Service deems it useful for its investigative mission defined in the LCA,
- to produce, for it to be informed, all information material and to provide copies in any form, when the Inspection Service deems them useful for its investigation mission defined in the LCA.
If this information relates to an ongoing investigation or information, it may only be communicated with the prior authorization of the public prosecutor or the investigating judge.
THE NOTICE & ACTION PROCEDURE
Both DNS Belgium and the DPA are very sensitive to compliance with the GDPR of the processing of personal data on the Internet in general and on the websites of the .be domain name zone in particular.
The concern to support quality and security on the Internet as much as possible has led DNS Belgium to set up the “Abuse Policy” working group in March 2012. Many public partners were part of this working group (such as the BISC of the FPS Finance, FCCU, IBBT, Belnet/CERT).
The concept of a Notice & Action procedure was also developed within the framework of this working group. This procedure defines the principles according to which .be domain names can be redirected to a warning page of the public authority legally empowered to intervene against serious infringements of certain rules of law. DNS Belgium can then also delete the website that is linked to the .be domain name.
In view of the legal competence of the Inspection Service and the Litigation Chamber of the DPA to suspend, limit or (temporarily) suspend the processing of personal data, they can also resort to this Notice & Action procedure on the basis of this protocol.
If the Inspection Service or the Litigation Chamber of the DPA finds that the processing of personal data via a website linked to a .be domain name constitutes a breach of the fundamental principles of privacy protection and if the controllers or processors do not comply with the order to suspend, limit, (temporarily) suspend or terminate the processing of personal data within the time limit set by the order, they shall notify DNS Belgium in accordance with article 4 of this protocol.
With a view to a fair balance between:
- the purpose of putting an end to infringements of the fundamental principles of privacy protection in the interest of the citizen,
- and the use of the necessary technical means by DNS Belgium to meet this purpose,
the scope of application of this procedure is limited to the infringements that cause the greatest prejudice to the interests to be protected, committed by organizations or persons who deliberately violate this legislation and who continue their processing of personal data despite a previous injunction from the Inspection Service or the Litigation Chamber to suspend, limit, suspend (temporarily) or terminate it.
Art. 3 Legal and regulatory framework within which the DPA operates – scope of cooperation
The DPA generally ensures that the fundamental principles of personal data protection are respected. Its basic reference framework is contained in the GDPR, the LCA and the Law of July 30, 2018 on the protection of individuals regarding the processing of personal data.
In addition, there are also numerous provisions in other regulations that touch upon the fundamental principles of personal data protection which – depending on the specific context of each case – are inseparably part of the DPA reference framework. As an example, we can cite the Law of 21 March 2007 regulating the installation and use of surveillance cameras and its implementing decrees.
Art. 4 Implementing rules relating to the Notice & Action procedure
- a) Conduct of the procedure
Based on the proposal of the Inspector General or the President of the Litigation Chamber, the President of the DPA shall send a notification via the e-mail address email@example.com of DNS Belgium, mentioning the .be domain name concerned in the subject line of the e-mail, a copy of which shall also be sent to the Inspection Service and/or the Litigation Chamber via the e-mail addresses firstname.lastname@example.org or email@example.com. The aforementioned e-mail addresses are used for all further communication between the DPA and DNS Belgium.
Upon receipt of this notification, DNS Belgium shall – within 1 working day – send an e-mail notification to the domain name holder and inform it that the observed use of the domain name also constitutes a breach of DNS Belgium’s general terms and conditions. DNS Belgium shall send a copy of this e-mail to the DPA as confirmation that the procedure has indeed been initiated. In accordance with the general terms and conditions of DNS Belgium, the domain name holder must comply with the general terms and conditions within 14 days by ceasing the infringements, failing which DNS Belgium may withdraw the right to use the domain name. At the same time as the e-mail is sent to the domain name holder, DNS Belgium shall take the necessary technical measures to redirect the indicated domain name to a DPA warning page, hosted by DNS Belgium. The effect of this measure is that the website that was originally linked to the domain name can no longer be visited via the indicated domain name. After an initial period that depends on the application of the periods mentioned in this article (but which is at least 6 months + 14 days), DNS Belgium can definitively withdraw the right of use and cancel the domain name. However, the redirection will be interrupted and the link to the initial website will be reinstated if it is established during this period that there is no question of an infringement as mentioned in Article 2 or that the domain name holder has in the meantime complied with the rules or if the DPA requests DNS Belgium to suspend or stop the procedure (for example in application of Article 70, second paragraph of the LCA).
After expiry of the 14-day period and provided that DNS Belgium has not been informed of any remedial action taken by the domain name holder and has not received a request from the DPA to suspend or terminate the procedure, DNS Belgium shall send a reminder e-mail to the DPA so that the DPA can check whether the domain name holder has complied with the legal provision(s) mentioned in the notification or whether there are any new elements that call for the suspension or termination of the procedure.
The DPA then informs DNS Belgium as to whether or not the domain name should be withdrawn and communicates this decision to the domain name holder.
If DNS Belgium receives information from the DPA that the domain name holder has in the meantime complied or that the procedure must be suspended or stopped for other reasons, or if DNS Belgium does not receive any information from the DPA within 14 days after the reminder e-mail has been sent, DNS Belgium will remove the redirection to the warning page of the DPA and reinstate the domain name in the .be zone file.
If DNS Belgium is informed by the domain name holder within the 14-day period that remedial action has been taken, it shall inform the DPA within 2 working days. At the latest within 14 working days after this notification, the DPA shall inform DNS Belgium whether the domain name holder has complied with this notification or whether there are other reasons to suspend or terminate the procedure. If this information results in an assertion, or if the DPA has failed to respond within this period, DNS Belgium shall remove the redirection to the warning page of the DPA and reintegrate the domain name in the .be zone file.
When the DPA is informed by the domain name holder of remedial measures taken and/or if there is a request for suspension or termination of the procedure, the DPA shall verify within 14 days whether the domain name holder has complied with the requirements or whether a suspension or termination of the procedure is necessary and shall inform DNS Belgium of its decision within this period. In case of a favourable decision or if no decision is taken within this period, DNS Belgium will remove the redirection to the DPA warning page and reinstate the domain name in the .be zone file.
If the domain name holder has not complied and the DPA has not requested to suspend or stop the procedure for other reasons, DNS Belgium shall continue to redirect the domain name to the warning page of the DPA for a further period of 6 months. At the end of these 6 months, DNS Belgium attaches the domain name to one of its temporary accounts and then cancels the domain name. The domain name is then quarantined for 40 days. At the end of this quarantine period, the domain name is released again and is available for registration on a “first come, first served” basis.
At any time during the procedure, DNS Belgium and the DPA undertake to inform each other within two working days of receipt of a communication from the domain name holder.
DNS Belgium undertakes to provide the DPA, at any time during the procedure, with all useful (technical) information that the DPA needs in order to be able to check whether a suspension or termination of the procedure is appropriate.
- b) Content of the DPA notification
The notification that the DPA sends to DNS Belgium must contain the following information:
- name, e-mail address of the Inspector General or the President of the APD’s Litigation Chamber who found the infringement within its competence;
- the .be domain name that is used to commit the infringement of a regulation of point 2 of this Cooperation Protocol (also to be mentioned in the subject line of the e-mail to DNS Belgium);
- the provision(s) of the regulation(s) of point 2 of this Cooperation Protocol that is (are) infringed;
- the reference of the DPA file; the date and signature of the Inspector General or the President of the DPA’s Litigation Chamber who discovered the infringement(s);
- confirmation from the Inspector General or the President of the DPA’s Litigation Chamber that it is competent to intervene within the framework of the regulations listed in point 2 of this Cooperation Protocol and that it has found that the domain name indicated is being used to commit a violation of one or more of the regulations listed in point 2 of this Cooperation Protocol.
- c) Content of the e-mail from DNS Belgium to the domain name holder who has committed an infringement of the regulations mentioned in point 2
The e-mail that DNS Belgium sends to the domain name holder contains the following information:
- a statement of the provisions of the regulations that have been infringed;
- a request to take the necessary actions to put an end to this (these) violation(s).
- offence(s) with reference to the DPA file reference;
- a warning that the right to use the domain name may be suspended for failure to comply with the general terms and conditions for the registration of the domain name in the .be domain managed by DNS Belgium, if the request is not answered within 14 days;
- a statement that DNS Belgium will immediately redirect the domain name to a warning page of the DPA;
- contact details of the Inspector General or the President of the Litigation Chamber of DPA who made the finding, so that the domain name holder can contact this service for any questions, remarks or additional information regarding the infringement(s) found.
This e-mail is sent to the e-mail address of the domain name holder as mentioned in the DNS Belgium registration system.
The Inspector General or the President of the Litigation Chamber of the DPA who has established the infringement(s) will receive a copy of the e-mail sent to the domain name holder so that it can be informed when the 14-day period starts and when it ends and so that it can ensure a better follow-up of the case.
In this e-mail DNS Belgium shall also indicate via which IP address the website in question can still be consulted so that the DPA can, if necessary, carry out the necessary checks to decide on a suspension or termination of the procedure (see above).
DNS Belgium will also indicate whether the file has been the subject of an intervention by the public prosecutor’s office.
DNS Belgium will then send an e-mail to the registrar that manages the .be domain name in question, informing it that the domain name holder has been served with a notice of default for infringements of DNS Belgium’s general terms and conditions and will also inform the registrar of the redirection to the DPA warning page.
- d) Content of the warning page
The content of the warning page, as well as its possible modification, is provided by the DPA (at the e-mail address firstname.lastname@example.org) and is in principle standard.
- e) Control and possible consequences
The Inspector General or the President of the DPA’s Litigation Chamber is responsible for establishing the infringement(s). For any question related to this (these) infringement(s), DNS Belgium will refer the domain name holder to the APD.
The Inspector General or the President of the DPA’s Litigation Chamber may, at its discretion, grant the domain name holder additional time to comply. The Inspector General or the President of the Litigation Chamber of the DPA will inform DNS Belgium by e-mail (at the e-mail address: email@example.com).
The Inspector General or the President of the Litigation Chamber of the DPA will check, at the latest at the end of the 14-day period (or any additional period that may be granted), whether or not the domain name holder has taken the necessary measures to put an end to the infringements mentioned in the notification, or whether there are other reasons to suspend or stop the procedure, and will inform DNS Belgium by e-mail (at the e-mail address: firstname.lastname@example.org) which of the following options should be applied:
- the domain name can be included in the zone file again;
- the domain name must be permanently removed.
Art. 5 Responsibilities
DNS Belgium strives to prevent domain name holders from using the services it offers for illegal purposes. The general terms and conditions explicitly state that the domain name holder declares and guarantees that the domain name has not been registered for an illegal purpose, or that the registration of the domain name will not violate the rights of a third party in any way. DNS Belgium may, at any time, terminate the right of use if the domain name holder does not, or no longer, complies with the terms and conditions of the domain name registration. DNS Belgium is, however, confronted with requests from third parties claiming to be victims of allegedly unlawful behaviour on the part of domain name holders, via the websites linked to the domain names it manages. DNS Belgium is in an uncomfortable position regarding these requests:
- on the one hand, DNS Belgium runs the risk of being held civilly liable when it terminates the right of use, if it subsequently turns out that the notification on which the action is based is unfounded,
- on the other hand, DNS Belgium runs the risk of being held criminally liable if, after having been informed of the allegedly illegal activities, it contributes, through its activity as a technical intermediary, to facilitating the commission or prosecution of criminal offences.
The purpose of this protocol is to optimise the procedures for the removal of illegal content on the Internet, through the technical intervention of DNS Belgium regarding the law of use of a domain name, while ensuring that the procedures put in place respect the principle of proportionality of the sanction in relation to the infringement committed, the fundamental rights of the domain name holders and the legal security of DNS Belgium.
To this end, according to the rules of common law, the DPA assumes responsibility for the qualification of the infringement as notified by it. If the domain name holder believes that the qualification of the infringement by the DPA is an error that causes it prejudice, the general law of liability applies vis-à-vis the DPA.
The DPA declares that it will intervene spontaneously in the event of claims by third parties for any damage caused directly or indirectly to third parties by or as a result of the actions carried out by DNS Belgium on behalf of the DPA in the context of the proper execution of this Protocol of Cooperation.
DNS Belgium, for its part, continues to assume its contractual liability. The general law of liability applies, for example, to DNS Belgium in the event of improper execution of the sanctions provided for in its general terms and conditions.
DNS Belgium declares that it will spontaneously intervene in the event of claims by third parties against the DPA for any damage caused directly or indirectly to third parties by or as a result of faulty actions executed by DNS Belgium.
Art. 6 Processing of personal data and obligation of confidentiality
The parties confirm that the General Data Protection Regulation (GDPR) applies, as well as other data protection provisions such as the Belgian Law of July 30, 2018 on the processing of personal data. This means, among other things, that the parties must comply with the obligations and principles contained therein.
The cooperation implies in particular that the DPA may send DNS Belgium information and documents containing personal data that the DPA processes in the framework of its legal tasks. DNS Belgium will ensure that this information and documents are processed within the framework of the GDPR and guarantees in this respect – in application of article 48, § 2 of the LCA – the utmost confidentiality. Furthermore, DNS Belgium will not communicate these documents or put them the disposal, in any way whatsoever, of another party or organisation which is not under the direct authority of DNS Belgium.
The DPA will take appropriate technical measures to ensure that the sending of documents containing sensitive information and personal data is done in a secure manner. DNS Belgium shall ensure that these measures are complied with.
If DNS Belgium has appointed a Data Protection Officer (DPO), it will communicate the contact details of this person to the DPA so that the cooperation takes place in accordance with the GDPR and is rectified if necessary.
Art. 7 Coordinating Committee
Upon decision of the parties, a committee can be set up, composed of representatives of the DPA and DNS Belgium. In accordance with article 17 of the LCA, the members are appointed by the competent bodies of the DPA and by the General Manager of DNS Belgium.
It is the responsibility of the Coordination Committee to ensure the smooth running of the procedures of this protocol and the commitments made. The committee meets at least once a year and whenever necessary to meet the objectives of this protocol.
Disputes between DNS Belgium and the DPA concerning the present protocol will in principle be settled by mediation within the coordination committee.
The coordination committee may possibly decide to draw up an annual report containing relevant statistics on concrete cases, recommendations relating to this protocol and the procedures it contains, a report on similar initiatives in Belgium or abroad, etc. The coordination committee may also decide to draw up an annual report containing relevant statistics on concrete cases, recommendations relating to this protocol and the procedures it contains, a report on similar initiatives in Belgium or abroad, etc.
Art. 8 Costs
DNS Belgium and the DPA shall each separately bear the costs related to their own actions that they undertake in execution of this protocol.
Art. 9 Commitment to extend the cooperation to the .vlaanderen and .brussels domain name zones in the future.
DNS Belgium undertakes to inform the DPA as soon as it finds that it is technically and legally possible to extend the cooperation established in the present protocol to both other domain name zones that it manages, namely .vlaanderen and .brussels. At that moment DNS Belgium and APD commit themselves to start negotiations between them as a matter of priority in order to formalise the aforementioned extension of the cooperation.
Art. 10 Entry into force and publication
The present protocol comes into force on 01/12/2020.
This Protocol will be published on the DPA’s website. It will also be brought to the attention of:
– of the House of Representatives;
– the Minister or Secretary of State responsible for privacy;
Art. 11 End of the protocol
The protocol can be terminated by both parties by giving 3 months’ notice, notified to the other party by registered mail or via another sustainable data carrier. The notice period begins at the beginning of the month following the month in which the notice was sent.
Done and signed in Brussels on 26/11/2020 in two copies in French and Dutch.
For DNS Belgium, for the DPA
Philip Du Bois, General manager David Stevens, President
Hielke Hijmans Peter Van den Eynde
President of the DPA’s Litigation Chamber Inspector General of the DPA
Follow Us On Social Networks